Is it always bad to have register_globals on? What about in a shopping cart (and payment processing) script? Thanks, Peter
NinjaNoodles: that's a pretty bizarre question... what is so special about shopping carts that would make register_globals a good thing to have on? Unless the script is extremely careful, register_globals is bad. It doesn't matter what the script type (I'm assuming you're thinking about osCommerce, right?). Either way, its being removed in PHP6 anyway.... not that we can expect that anytime soon, but the future has a way of creeping up on us!
The use of SSL would make it safer, but why not store the shopping chart data into a DB and select it when the user wants to view it? That would make it even safer and just as easy to implement. You could simply store the record ID associated with the shopping chart into a session varriable and be done with it.
SSL has no effect on the security of register_globals. SSL is related to encryption between client and server: it has nothing to do with the server application which is what register_globals is all about. With register_globals on, nothing about SSL stops me adding stuff on to a URL to override settings in your code, for example. Might I also add that SSL and e-commerce are not really related as such: you can have e-commerce without SSL and you can have normal sites with SSL, so your question is more to do with SSL, right? Either way, SSL and register_globals are totally unrelated.